diff options
author | Patrick McHardy <kaber@trash.net> | 2008-04-14 05:15:52 -0400 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2008-04-14 05:15:52 -0400 |
commit | dd13b010368f85dfa59364ba87bfe8ae930b2832 (patch) | |
tree | f7f0a8fa77858674564aeb614499f40dd3c6dcd8 /include | |
parent | 55871d04793d9c069ee277b1e98794b88d92ed80 (diff) |
[NETFILTER]: nf_nat: kill helper and seq_adjust hooks
Connection tracking helpers (specifically FTP) need to be called
before NAT sequence numbers adjustments are performed to be able
to compare them against previously seen ones. We've introduced
two new hooks around 2.6.11 to maintain this ordering when NAT
modules were changed to get called from conntrack helpers directly.
The cost of netfilter hooks is quite high and sequence number
adjustments are only rarely needed however. Add a RCU-protected
sequence number adjustment function pointer and call it from
IPv4 conntrack after calling the helper.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/netfilter_ipv4.h | 2 | ||||
-rw-r--r-- | include/net/netfilter/nf_nat_helper.h | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h index 9a10092e358c..650318b0c405 100644 --- a/include/linux/netfilter_ipv4.h +++ b/include/linux/netfilter_ipv4.h | |||
@@ -62,8 +62,6 @@ enum nf_ip_hook_priorities { | |||
62 | NF_IP_PRI_FILTER = 0, | 62 | NF_IP_PRI_FILTER = 0, |
63 | NF_IP_PRI_NAT_SRC = 100, | 63 | NF_IP_PRI_NAT_SRC = 100, |
64 | NF_IP_PRI_SELINUX_LAST = 225, | 64 | NF_IP_PRI_SELINUX_LAST = 225, |
65 | NF_IP_PRI_CONNTRACK_HELPER = INT_MAX - 2, | ||
66 | NF_IP_PRI_NAT_SEQ_ADJUST = INT_MAX - 1, | ||
67 | NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, | 65 | NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, |
68 | NF_IP_PRI_LAST = INT_MAX, | 66 | NF_IP_PRI_LAST = INT_MAX, |
69 | }; | 67 | }; |
diff --git a/include/net/netfilter/nf_nat_helper.h b/include/net/netfilter/nf_nat_helper.h index 58dd22687949..237a961f40e1 100644 --- a/include/net/netfilter/nf_nat_helper.h +++ b/include/net/netfilter/nf_nat_helper.h | |||
@@ -24,6 +24,9 @@ extern int nf_nat_mangle_udp_packet(struct sk_buff *skb, | |||
24 | extern int nf_nat_seq_adjust(struct sk_buff *skb, | 24 | extern int nf_nat_seq_adjust(struct sk_buff *skb, |
25 | struct nf_conn *ct, | 25 | struct nf_conn *ct, |
26 | enum ip_conntrack_info ctinfo); | 26 | enum ip_conntrack_info ctinfo); |
27 | extern int (*nf_nat_seq_adjust_hook)(struct sk_buff *skb, | ||
28 | struct nf_conn *ct, | ||
29 | enum ip_conntrack_info ctinfo); | ||
27 | 30 | ||
28 | /* Setup NAT on this expected conntrack so it follows master, but goes | 31 | /* Setup NAT on this expected conntrack so it follows master, but goes |
29 | * to port ct->master->saved_proto. */ | 32 | * to port ct->master->saved_proto. */ |